package com.lg.atp.sercurity;


import java.util.Collection;
import java.util.Iterator;

import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

import com.lg.atp.common.Constants;
	
@Component("myAccessDecisionManager")
public class MyAccessDecisionManager implements AccessDecisionManager {
	
	
	
	@Override
	public void decide(Authentication authentication, Object object,
	Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
	
		
		//如果该URL没有配置权限，那么只要有修改过密码就可以访问
		if (configAttributes == null) {
				return;
		} 
		// 所请求的资源拥有的权限(一个资源对多个权限)
		Iterator<ConfigAttribute> iterator = configAttributes.iterator();
		while (iterator.hasNext()) {
		      ConfigAttribute configAttribute = iterator.next();
				// 访问所请求资源所需要的权限
			  String needPermission = configAttribute.getAttribute();
			   
			  if (!StringUtils.isEmpty(needPermission)) {
				   //如果配置的是默认角色，则不需要判断是否修改过密码
				    if(needPermission.equals(Constants.DEFAULT_ROLE))
				    	return;
					// 用户所拥有的权限authentication
					for (GrantedAuthority ga : authentication.getAuthorities()) {
						if (ga != null ) {
							//int isAllowed = SecurityUserHolder.getCurrentUser().getIsAllowed();
							int isAllowed = 1;
							if (needPermission.equals(ga.getAuthority()) && isAllowed == 1) {
								return;
							}
						}
		
					}
		
				}
		}
	
		throw new AccessDeniedException("没有访问权限！");  
	}
	
	
	@Override
	public boolean supports(ConfigAttribute cfg) {
	return true;
	
	}
	
	@Override
	public boolean supports(Class<?> classes) {
	return true;
	
	}


	
}
	
